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PRIMITIVES FOR FAST SECURE HASH FUNCTIONS AND 

STREAM CIPHERS 

TECHNICAL FIELD 

[0001] The present invention generally relates to cryptology, and more 

particularly, to utilizing primitives for secure hash functions and/or stream ciphers. 

BACKGROUND 

[0002] As digital communication becomes more commonplace, the need for 

securing the communication channels becomes increasingly more important. For 
example, current technologies allow a user to remotely access bank accounts, 
medical information, and other private and sensitive data. 

[0003] Cryptology has been widely used to provide secure digital 

communication. Cryptology relates to the enciphering (or encrypting) and 
deciphering (decrypting) of messages. The encryption and decryption generally 
uses some secret information (such as a key) for processing the data to be secured. 
In d ifferent e ncryption m ethods, a single key or multiple keys may be used for 
encryption and/or decryption. 
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[0004] Currently, two types of symmetric cipher are in common use. 

Generally, the encryption is said to be symmetric-key if for each associated 
encryption/decryption key pair, it is computationally "easy" to determine each of 
the keys in the key pair from the other key in the key pair. The first type of 
symmetric cipher is a block cipher which operates on a large block of data. The 
second type is a stream cipher which, by contrast, operates on relatively smaller 
units of text (such as bits). Depending on its implementation, stream cipher is 
believed to be much faster than block cipher and, hence, of special interest. 

[0005] Additionally, stream ciphers can generate streams (also known as a 
"keystreams") while approaching the high security of one-time pad. Generally, 
one-time pad cipher generates a keystream with the same length as the text 
message being encrypted. The one-time pad keystream is believed to be 
completely random, yielding very high security levels. 

[0006] One of the most widely used stream cipher techniques is the alleged 

RC4 (Ron's Code 4 - variable-key-size encryption algorithm by Ron Rivest of 
RSA (Rivest, Shamir, and Adleman public key encryption technology)). For 
example, the alleged RC4 is used in SSL (secure socket layer) which is 
implemented in many Internet-based communications (e.g., through HTTP (hyper- 
text transfer protocol) and FTP (file transfer protocol)). 
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[0007] The alleged RC4, however, can require eight to sixteen machine 

cycles to output a single byte. While this can be run in software, it requires a 
substantial amount of hardware resources. Also, implementing the alleged RC4 in 
hardware limits the flexibility of running the alleged RC4 on different computing 
devices (i.e., because it would require the presence of alleged RC4-specific 
hardware in each device). 

[0008] Another method u sed for s ecuring d ata i s a hash f unction. A h ash 

function transforms an input string into a fixed-size output string (also known as a 
"hash value"). The size of the output string is referred to as a message "digest." It 
is generally desirable to provide a hash function that is one-way (i.e., hard to 
invert) and collision-free (i.e., different hash values are generated for different 
messages). One standard hash function is SHA-1 (secure hash algorithm as revised 
in 1994) which generates a 160-bit digest from an input stream of less than 2 64 
bits. 

[0009] Cryptographic primitives such as stream ciphers and secure hash 

functions are an essential part of many cryptosystems, making their efficient 
computation an important problem. Most practical implementations, however, use 
custom designs (message digests (e.g., MD5 and MD6), SHA-1 or alleged RC4, 
Seal, and Scream) that depend on empirical analysis, as opposed to formal 
complexity theoretic or information theoretic analysis. 
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[0010] Accordingly, the current solutions fail to provide an efficient 

methodology for quick and secure data encryption/decryption, while maintaining 
sufficient efficiency and/or speed for implementation in software. 

SUMMARY 

[0011] Techniques are disclosed to enable efficient implementation of 

secure hash functions and/or stream ciphers. More specifically, a family of graphs 
is described that has relatively large girth, large claw, and/or rapid mixing 
properties. The graphs are suitable for construction of cryptographic primitives 
such as collision resistant hash functions and stream ciphers, which allow efficient 
software implementation. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0012] The detailed description is described with reference to the 

accompanying figures. In the figures, the left-most digit(s) of a reference number 
identifies the figure in which the reference number first appears. The use of the 
same reference numbers in different figures indicates similar or identical items. 

[0013] Fig. 1 illustrates an exemplary secure hash function method. 

[0014] Fig. 2 illustrates an exemplary graph-based method for determining 

a hash compression function to implement a secure hash function. 
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[0015] Fig. 3 illustrates an exemplary set of matrices which may utilized as 

primitives for fast secure hash functions and stream ciphers. 

[0016] Fig. 4 illustrates an exemplary matrix-based method for 

implementing the hash function. 

[0017] Fig. 5 illustrates an exemplary method for implementing the stream 

cipher by utilizing the matrix graphs discussed herein. 

[0018] Fig. 6 illustrates a general computer environment, which can be used 

to implement the techniques described herein with respect to provision of secure 
hash functions and/or stream ciphers. 

DETAILED DESCRIPTION 

[0019] The following discussion assumes that the reader is familiar with 

cryptography techniques. For a basic introduction of cryptography, the reader is 
directed to a text written by A. Menezes, P. van Oorschot, and S. Vanstone entitled, 
"Handbook of Applied Cryptography," fifth printing (August 2001), published by 
CRC Press. 

[0020] Overview 

[0021] The following disclosure describes a class of graphs that may be 

employed in software to implement secure hash functions and/or stream ciphers. 
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More specifically, a collection of matrices are described that can be used in the 
construction of graphs suitable for provision of cryptographic primitives. The 
speed of the methodologies described here may be further improved by utilizing 
hardware such as an application specific integrated circuit (ASIC). Also, each 
stage discussed with reference to methodologies herein may be performed by 
software, hardware, firmware, or combinations thereof. 

[0022] Secure Hash Function 

[0023] Fig. 1 illustrates an exemplary secure hash function method 100. The 

method 100 starts with a stage 102 which divides an input string into blocks of 
fixed length (as will be further discussed herein, for example, with respect to Figs. 
2 and 4). A block function is then applied to the first input block (104). The block 
function will be further discussed below under the same title. If more input blocks 
remain for processing (106), the block function is applied to a next input block in 
accordance with select properties of the block function applied to the previous 
block (as discussed below, for example, with reference to matrix graphs). In one 
implementation, the advanced encryption standard (AES) may be used as the inter- 
block function (as will be further discussed with reference to Fig. 4). If all input 
blocks have been processed, the hash value if the input is determined based on the 
result provided by the block function applied to the last input block (110). 
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[0024] Accordingly, instead of a simplified approach that may add the hash 
values of each input block yielding an implementation prone to security risks (e.g., 
because changing the order of input blocks will still result in the same final hash 
value), the method 100 ensures a more secure implementation by generating a 
final hash value recursively based on previously calculated hash values. Other 
implementations will be further discussed herein that utilize graphical and matrix- 
based methodologies to provide a final hash value. 

[0025] Graph-Based Hash Compression Function 

[0026] Fig. 2 illustrates an exemplary graph-based method 200 for 

determining a hash compression function to implement a secure hash function. 
The method 200 may be applied to an input block of fixed size (e.g., by dividing 
the original input string into blocks). In a stage 202, an input block (xj,...,x h where 
each jc g - e {l,...,d}) is received. A regular graph of degree d is provided (204) and 
each outgoing edge of every node of the graph is labeled, for example, with an 
integer having a value less than or equal to d (206). The node label may be used to 
navigate or trace the graph for encryption/decryption purposes. 

[0027] A hash function may be constructed by starting at a node z 0 and 

tracing a path which is described by the sequence x Jf ...,x d (208). The final point of 
the trace indicates the value of the compression function (210). 
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[0028] In an implementation, the compression function determination 

requires two properties: 

[0029] (1) the directed parallel girth of the graph is large in 

comparison to the input block length so that parallel directed paths between any 
two nodes do not exist; and 

[0030] (2) the average directed claw length is large enough 

so that starting from two random nodes one can find a common node reachable by 
a path of length / only with negligible properties. 

[0031] Various types of intersecting paths may be considered for the graph 

girth. For example, a directed parallel cycle may include two directed paths 
starting at a same node and ending at a same node. A directed claw may be 
considered when the start nodes are different with a same end node. And, a 
directed cycle would start and end at a same node. 

[0032] Property (1) is important so that one does not find collisions on the 

first block. If a randomizing function (such as a block cipher done by the data 
encryption standard (DES), MD5, and the like) is applied at the end of the first 
block, then on two different inputs property (2) avoids a collision in the next block 
and so on. Specific groups of matrices will be introduced under the section entitled 
"matrix graphs" below that will possess these properties. Moreover, the matrices 
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are carefully chosen to contain small entries and admit efficient implementation 
(e.g., when implemented in software). 

[0033] Matrix Graphs and Block Functions 

[0034] In one implementation, the block function is based on a walk on a 

Caley graph (referred to herein as a "matrix graph") defined by the matrices. Let 

/ 32 

some m=2 (e.g., m=2 ), where m is the number of nodes in the matrix graph. Let 
A={o y,..., <r k } be a set of generators (such as those shown in Fig. 3 and further 
discussed below), with o^II^ for some r, that is, a rxr matrix over integers 
modulo m. In certain examples herein, the constructions shown use r = 3. Let the 
graph with vertex set T/= U* r and edges {(MJSf) \ N= c h a { e A}. Note gis 
a directed graph. 

[0035] Given such a graph (£), the block function <8 may be defined as 

follows. Let 27 be an alphabet of size k (the number of generators of 0. Then <B 
will map 1^2"— so that given an initial location M and input X= X],...,x t with 
each Xi a character over 27, we have that (BiMJC) is a matrix in V By taking any 
correspondence between 27 and A, each x, may be viewed as a matrix B ie A. We 
can now define: 

[0036] B(MJC) ± M f]i?. 
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[0037] As discussed above with respect to properties (1) and (2), the desired 

characteristics of the block function may be summarized as: 

1 . If M is any vertex M of g and N any neighborhood of 
M with radius / or less, then N is a tree; and 

2. If My and M 2 are vertices in a graph, Mj and M 2 form a 
d-claw if there are paths p { and p 2 of length d and a vertex N with My -> p/ N and 
^K? N. Then, (B should have the property that the probability that uniformly 
chosen M } and M 2 form an n-claw is negligible. 

[0038] Let ^ be a random one-way function mapping some domain <D to <D, 

with a bijection (p\<D->V. Let /be the identity matrix in V, Let the input be X/,...JC b 

with each X^l! as above. We assume that the input is an integral number of 
blocks; padding issues for inputs of different sizes can be dealt with using standard 
methods. Define Y 0 = I and for l<i<b 9 Y t = (p(g((p~\(B(Y i - l Jf l )))). We may define 
the hash function as #(J0,...^) = Y b . 

[0039] In one implementation, if such a bijection (p is difficult to find, a 

relaxed bijection y/ can be used instead. More specifically, let /(XJbe a secure 
hash evaluated at X t that outputs w bits, which are interpreted by any convenient 
technique as numbers a h a 2 , and a 3 and defining Y t y/ (Xj) by: 
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[0040] ¥ {X t ) = 



'\ a, a? 

0 1 a % 
,0 0 1, 



[0041] Accordingly, it can be seen that given two inputs X and X\ if they 

collide on an interblock step, the girth arguments show that if they differ on the 
following block, the outputs at the end of that block will differ also. 

[0042] If d is chosen sufficiently small, property (2) can be shown for all 

graphs. In particular, let n be the number of nodes in a graph, and let d = (log 
n)l(2+s). Let B{u) be the number of nodes within distance d of a node u; then 
\B(u)\eo(^ln). Now if a node v is chosen at random, we have as well \B(v)\eo(^ln). 
Accordingly, the probability that u and v form a claw (e.g., reaching a same node) 
is bounded by \B(u)nB(v)\/neo(\). Thus, if d is logarithmic in the number of 
nodes in the graph, the probability of picking a claw is negligible. 

[0043] Fig. 3 illustrates an exemplary set of matrices (300) which may 

utilized as primitives for fast secure hash functions and stream ciphers. In one 
implementation, experimentation has shown that the graph derived from the 
matrices shown in Fig. 3 has better eigenvalue separation than Ramanujan graphs 
for graphs of size up to a million: X 2 =0.63 for Ramanujan as opposed to X 2 = 0.57 
for the present graph. 
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[0044] Hash Implementation 



[0045] Fig. 4 illustrates an exemplary matrix-based method 400 for 

implementing the hash function. To implement the hash function, a table of entries 
including all possible products of the generator matrices is constructed (402). For 
example, a table with 512 entries is constructed for all possible length three 
products of the generator matrices discussed with reference to Fig. 3. The number 
of nodes (m) may be set to 2 32 (e.g., a natural size of integers on current systems as 
will be further discussed with reference to Fig. 6). In one implementation, this 
implies that / of 16 can be used. Furthermore, AES may be used as the inter-block 
function g. 

[0046] In a stage 404, the initial matrix M is set to be the identity matrix 

(such as discussed with reference to the matrix / in the vertex set V). A stage 406 
processes the data input blocks (e.g., as 9-bit blocks in the example discussed with 
reference to Fig. 3). Each block is used to index a matrix A in the table (408). As 
long as more input blocks remain for processing (410), a stage 412 updates M 
(M<r-A-M). Once all input blocks are processed (410), a stage 414 determines the 
final hash value (such as discussed with reference stage 310 of Fig. 3). 

[0047] Accordingly, instead of a simplified approach that may add the hash 

values of each input block yielding an implementation prone to security risks (e.g., 
because changing the order of input blocks will still result in the same final hash 
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value), the method 400 ensures a more secure implementation by multiplying the 
hash values of each input block by a set of generator matrices (such as those 
discussed with reference to Fig. 3). Also, even though the methods 200 of Fig. 2 
and 400 of Fig. 4 are based on graphs and matrices, respectively, it is envisioned 
that graphs may be readily represented by matrices and vice versa. 

[0048] In one implementation, using a table of 256 entries based on a set of 

four generator matrices is not as efficient as the example discussed with reference 
to Fig. 4. In spite of the unnatural block size (in light of byte-size computing 
prevalent), the 9-bit implementation provides more speed (3 1 MB/s for the 9-bit 
block size versus 27 MB/s for the 8-bit block size). This is true, in part, because 
fewer matrix multiplications need to be performed. 

[0049] Stream Cipher Amplification 

[0050] The matrix graphs discussed herein also have expansion properties 

that make them suitable for constructing stream ciphers. For example, the alleged 
RC4 can be thought of as a random walk on a graph with a set of permutations on 
{1,...,256}. The matrix graphs have the additional property that their directed girth 
is relatively large. So, a random walk can not return to a given node in a relatively 
short amount of time. An immediate way to use this graph is to stretch the outputs 
of the alleged RC4, by using the alleged RC4's output as a way to perform a 
random walk on the graph. For example, after being initialized with a key k which 
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sets the internal state, the stream cipher outputs a sequence of bytes, jcy^v— Each 
Xj output is a function of the current internal state of the cipher, which is changed 
with each output. In an implementation, the output of this stream cipher is free of 
the correlations that have been found in the alleged RC4. 

[0051] Fig. 5 illustrates an exemplary method 500 for implementing the 

stream cipher by utilizing the matrix graphs discussed herein. After constructing a 
graph (502), each node of the graph may be labeled by a matrix (504). The number 
of nodes may vary depending on the implementation. A stage 506 facilitates 
navigation to a next node. As long as there remain other nodes to navigate to 
(508), each matrix associated with a node is multiplied by a generator matrix (510) 
such as those discussed with reference to Fig. 3. Once no more nodes remain 
(508), a hash value corresponding to the sequence of intermediate nodes is 
determined (512). The hash value may be determined such as discussed with 
reference to the previous figures (e.g., Figs. 2 and 4). 

[0052] As discussed with reference to the block functions, by a suitable 

choice of generators A 9 each jc ; output may be associated by the block cipher with a 
matrix B(x t ), and form a walk on the matrix graph generated by A. For a matrix 



fa b c\ 
d e f 
0 0 1 



let L(B)= (top(c),top(/)) be the label output for each matrix at each 



step in the random walk. The empirical expansion properties enjoyed by g(A) 
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indicate that the sequence L(B(x J )) y L(B(x 2 )),... should be a pseudorandom 
sequence, if the are. 

[0053] A remaining portion of this description (immediately following this 

section) d eals w ith p roof t hat t he g enerator matrices u sed h erein ( such a s t hose 
discussed with reference to Fig. 3) possess the discussed properties. Furthermore, 
methodologies for generating other generator matrices (e.g., of different size) are 
described which could be used in the implementations discussed herein (e.g., in 
place of the matrices illustrated in Fig. 3). Accordingly, a class of monoids will be 
described that can be used to construct graphs with provable girth properties. 
These monoids may be used as a primitive for secure hashes and stream ciphers. 

[0054] Free Monoids 

[0055] The monoid <M generated by the matrices S and T below is free, that 

is, isomorphic to the monoid of binary strings. 







a o 




, and T = 






,0 \j 



[0057] One way to prove this is to show that given A e M, only one of 

A • S = A or A • T = A holds with A e M In fact, the maximum component of A is 
shown to be strictly less than that of A, so that an easy induction accomplishes the 
proof. 
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[0058] Thus, an easy way to show that a monoid M generated by some set g 

of matrices is free, is to show that for any A e 9A, there is a unique U A e Q with 
A • U = A , where A s 9/L and smaller in some sense than A. 

[0059] Considering the finite monoid generated by S and T (where 

operations are reduced modulo m = 2 ; ), the matrix graph so defined has relatively 
high girth. 

[0060] Lemma. The matrix graph generated by S and T with operations 

modulo m = 2 I has girth / - 1 . 

[0061] Proof. As the graph is a Cayley graph, it suffices to show that the 

identity / is not involved in a short cycle. Consider a matrix A on a path from the 
identity, and let a max be the maximum coefficient in A, If a max < mil, then the 
maximum coefficient of either AS or ^47" is at most 2a max . Hence, if A is arrived at 
from a path of length t from /, and A is the matrix in the infinite monoid over Z , 
if t < /, then a max < m, and A = A component-wise. In particular, as the infinite is 
free, A * I . Thus I i s n ot i nvolved i n a c ycle o f length 1 ess t han / , proving t he 
lemma. 

[0062] Accordingly, this shows that it may generally be enough to find free 

monoids in one implementation. Moreover, the construction of the free monoid 
above suggests that to show that a monoid 9A generated by some set g of matrices 
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is free, one should show that for any A e fW, there is a unique U A e g with 
A - U = A, where A e 9A and smaller in some sense than A. 

[0063] A Free Monoid 

[0064] For a simple construction, let g x = {Ti,...,x 4 }and 9A\ be the monoid 

generated by g u with: 







ri o 


°) 






1 


1> 




f 2 


1 


1> 




'2 


1 


°1 


[0065] 




2 1 


0 


. T 2 = 


1 


1 


1 




1 


1 


1 




0 


1 


0 






^0 0 


1, 






0 


i; 






0 






,o 


0 


K 



[0066] Note that if a h for / =1 ...4, are the nontrivial degree-5 Gabber-Galil 

generators, then: 

[0067] Tj = 0 2 , T 2 = 0^4, T 3 = G 3 0 2 , T 4 = <T 3 2 

[0068] Lemma. The monoid M\ is free. 

[0069] Proof. Given a matrix A, let v4° be the upper-left 2x2 submatrix of A. 

We note that cr? is either S for / = 1,2 and 7 for s = 3,4. Also, as the first two 

columns of the last row of any element of g x are zero, if A = Y\ ^' f° r some 

Uje g u then A°= Y[U? • Thus, given any ^ 6 5Wi, we have that ^4° is equivalent to a 
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string s A over {S,T} 9 by the free-ness of the 2x2 monoid. Examining the generators, 
one can see that: 

[0070] t?=S-S 9 t° 2 =S-T,t 0 3 =T.S,t° 4 =T-T 

[0071] Hence, given the last two characters of s Ay one can see that there is a 

unique r, such that A -T/ = A, with A ^ tM\ - Furthermore, as | s A |= |^|-2, there is a 
norm on <M\ that has been reduced, and so one can induct that M\ is indeed free. 

[0072] General 3x3 Monoids 

[0073] Any element of SL 2 (Z + ) can be identified with a binary string by 
forming the unique product equaling that element. The monoid of the previous 
section is then constructed from a set of SL 2 (Z + ) matrices whose strings are 
suffix-free. The entries in the third column are in this sense spurious. At the very 
least, aesthetic considerations may compel discovering matrices where all columns 
are involved in forming unique products. 

[0074] A general class of free monoids are illustrate, of which the matrices 

of Fig. 3 are an example. 

[0075] Definition. Let the components of a matrix be: 
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[0076] 



( a b 
d e f 



0 0 1 



[0077] A matrix is called feasible if the following holds: 



[0078] 



a + b >c, and d + e > f 



[0079] Lemma. Any product of feasible generators has the sum of the first 
two columns strictly greater than the third, for the upper two components. 

[0080] Proof. The proof is by induction on the length of the product. The 
base case is clear by the definition of feasible. Now suppose: 



[0081] 



M= 



'A B 
D E F 
v 0 0 1, 



[0082] Assume that the sum of the first two columns is strictly greater than 

the sum of the third. Then, if one takes a step by a feasible generator, the first row 
is [A a + B d , Ah + B et A c + Bf+ C]. Summing the first two entries results in: 



[0083] 



A(a +b) + B(d + e) > Ac + Bf + A + B > Ac + Bf + C 



[0084] Based on the property assumed of the generator matrix, the extra A 

and B result from the inequalities (and the strict inequality from the assumption 
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that at least one of the generator inequalities is strict). Finally, the assumption on 
M gives A + B > C, proving the lemma. 



[0085] Next, a general construction of generators whose monoid is free is 

described. Note this is one of many obvious ways to generalize the construction. A 
set of matrices Cj,...,C k is said to be free if the monoid generated by them is free. 
This is equivalent to their expressions as products of SL 2 ( Z + ) being prefix-free. 

[0086] Lemma. Let C C k be any free matrices in SL 2 (Z + ). Fix a column 

Cj of Cj , and let gf for i = 1 ,2 be elements of SL 3 ( Z + ) defined from C, by: 



[0087] 



C, 



[0088] 



where the u ( p and v* () are any integers satisfying: 



[0089] 







f"5 2) l 


v (/) 


< Cj < 


(2) 


V J ) 




< J J 



[0090] as well as the conditions of previous Lemma. Then, the monoid 

generated by £ = {g { p} > with j = and i = 1,2, is free. 



[0091] Proof. Let <M be the monoid generated by the Q of the lemma. The 

same technique as before may be used, namely, given any Xe it can be shown 
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that eitherXe or there is a unique r e M with ^ =Jf f or s ome XeiW.Given 
Jfe as before one can see that X° = Yl^u > f° r some so a 7 can be 

found so that either = ^g* 0 or X = Igj 2) . The question now is to disambiguate 

between these two choices. Let Xj be the column vector of the first two coordinates 
of the column of A" corresponding to c } (i.e., the first or second column, depending 
on what was used to choose the third column of gf). Similarly, let x 3 be the first 

two coordinates of the third column of X. Let uf=uf and v^vj 0 . The 

disambiguation is performed by picking iff xj>c 3 . To show this works, suppose 

that X = Xgf ) butjc^rj. If/=1: 



[0092] 



X = 



U b 
d e f 



and Cj = 



f w x^ 



U Z J 



[0093] 



then xj>x 3 implies: 



[0094] 



wa + yb\( u 2 a + v 2 b + c\^ f wa + yb + c^ 



wd + ye j 



u 2 d + v 2 e + f 



wd + ye + f 



[0095] 



as u 2 >w and v 2 >y. But the first and final inequalities are impossible, 



as all numbers are >0. For the other direction, assume that X = X g^but Xj is not 



greater than or equal to x 3 . Then, either 
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[0096] 



wa + yb < Uja + V]b + c<wa + yb + c- a~b, 



[0097] or wd + ye < i^d + v,e + f < wd + ye + f - d - e, 

[0098] by the choice of Uj and v h But this implies either a+b<c or d+e<f^ 
and as the g*° are feasible generators, neither situation is possible by the previous 
Lemma. The case when j=2 is analogous. 

[0099] Accordingly, the vectors {u (i) ,v (i) } ^i %2 are a disambiguating pair with 

respect to a matrix C € SL 2 ( Z + ) if they satisfy the conditions of the lemma above. 

[00100] Remark. Accordingly, this construction can be easily extended to 
generators of larger dimension. 

[00101] Hardware Implementation 

[00102] Fig. 6 illustrates a general computer environment 600, which can be 
used to implement the techniques described herein with respect to provision of 
secure hash functions and/or stream ciphers. The computer environment 600 is 
only one example of a computing environment and is not intended to suggest any 
limitation as to the scope of use or functionality of the computer and network 
architectures. Neither should the computer environment 600 be interpreted as 
having any dependency or requirement relating to any one or combination of 
components illustrated in the exemplary computer environment 600. 
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[00103] Computer environment 600 includes a general-purpose computing 
device in the form of a computer 602. The components of computer 602 can 
include, but are not limited to, one or more processors or processing units 604 
(optionally including a cryptographic processor or co-processor), a system 
memory 606, and a system bus 608 that couples various system components 
including the processor 604 to the system memory 606. 

[00104] The system bus 608 represents one or more of any of several types 
of bus structures, including a memory bus or memory controller, a peripheral bus, 
an accelerated graphics port, and a processor or local bus using any of a variety of 
bus architectures. By way of example, such architectures can include an Industry 
Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an 
Enhanced ISA (EISA) bus, a Video Electronics Standards A ssociation (VESA) 
local bus, and a Peripheral Component Interconnects (PCI) bus also known as a 
Mezzanine bus. 

[00105] Computer 602 typically includes a variety of computer-readable 
media. Such media can be any available media that is accessible by computer 602 
and includes both volatile and non-volatile media, removable and non-removable 
media. 

[00106] The system memory 606 includes computer-readable media in the 
form of volatile memory, such as random access memory (RAM) 610, and/or non- 
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volatile memory, such as read only memory (ROM) 612. A basic input/output 
system (BIOS) 614, containing the basic routines that help to transfer information 
between elements within computer 602, such as during start-up, is stored in ROM 
612. RAM 610 typically contains data and/or program modules that are 
immediately accessible to and/or presently operated on by the processing unit 604. 

[00107] Computer 602 may also include other removable/non-removable, 
volatile/non-volatile computer storage media. By way of example, Fig. 6 
illustrates a hard disk drive 616 for reading from and writing to a non-removable, 
non- volatile magnetic media (not shown), a magnetic disk drive 618 for reading 
from and writing to a removable, non-volatile magnetic disk 620 (e.g., a "floppy 
disk"), and an optical disk drive 622 for reading from and/or writing to a 
removable, non-volatile optical disk 624 such as a CD-ROM, DVD-ROM, or other 
optical media. The hard disk drive 616, magnetic disk drive 618, and optical disk 
drive 622 are each connected to the system bus 608 by one or more data media 
interfaces 626. Alternatively, the hard disk drive 616, magnetic disk drive 618, and 
optical disk drive 622 can be connected to the system bus 608 by one or more 
interfaces (not shown). 

[00108] The disk drives and their associated computer-readable media 
provide non-volatile storage of computer-readable instructions, data structures, 
program modules, and other data for computer 602. Although the example 
illustrates a hard disk 616, a removable magnetic disk 620, and a removable 
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optical disk 624, it is to be appreciated that other types of computer-readable 
media which can store data that is accessible by a computer, such as magnetic 
cassettes or other magnetic storage devices, flash memory cards, CD-ROM, digital 
versatile disks (DVD) or other optical storage, random access memories (RAM), 
read only memories (ROM), electrically erasable programmable read-only 
memory (EEPROM), and the like, can also be utilized to implement the exemplary 
computing system and environment. 

[00109] Any number of program modules can be stored on the hard disk 616, 
magnetic disk 620, optical disk 624, ROM 612, and/or RAM 610, including by 
way of example, an operating system 626, one or more application programs 628, 
other program modules 630, and program data 632. Each of such operating system 
626, one or more application programs 628, other program modules 630, and 
program data 632 (or some combination thereof) may implement all or part of the 
resident components that support the distributed file system. Example of program 
modules and data is discussed below with reference to Fig. 22. 

[00110] A user can enter commands and information into computer 602 via 
input devices such as a keyboard 634 and a pointing device 636 (e.g., a "mouse"). 
Other input devices 638 (not shown specifically) may include a microphone, 
joystick, game pad, satellite dish, serial port, scanner, and/or the like. These and 
other input devices are connected to the processing unit 604 via input/output 
interfaces 640 that are coupled to the system bus 608, but may be connected by 
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other interface and bus structures, such as a parallel port, game port, or a universal 
serial bus (USB). 

[00111] A monitor 642 or other type of display device can also be connected 
to the system bus 608 via an interface, such as a video adapter 644. In addition to 
the monitor 642, other output peripheral devices can include components such as 
speakers (not shown) and a printer 646 which can be connected to computer 602 
via the input/output interfaces 640. 

[00112] Computer 602 can operate in a networked environment using logical 
connections to one or more remote computers, such as a remote computing device 
648. By way of example, the remote computing device 648 can be a personal 
computer, portable computer, a server, a router, a network computer, a peer device 
or other common network node, game console, and the like. The remote 
computing device 648 is illustrated as a portable computer that can include many 
or all of the elements and features described herein relative to computer 602. 

[00113] Logical connections between computer 602 and the remote computer 
648 are depicted as a local area network (LAN) 650 and a general wide area 
network (WAN) 652. Such networking environments are commonplace in offices, 
enterprise- wide computer networks, intranets, and the Internet. 
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[00114] When implemented in a LAN networking environment, the 
computer 602 is connected to a local network 650 via a network interface or 
adapter 654. When implemented in a WAN networking environment, the computer 
602 typically includes a modem 656 or other means for establishing 
communications over the wide network 652. The modem 656, which can be 
internal or external to computer 602, can be connected to the system bus 608 via 
the input/output interfaces 640 or other appropriate mechanisms. It is to be 
appreciated that the illustrated network connections are exemplary and that other 
means of establishing communication link(s) between the computers 602 and 648 
can be employed. 

[00115] In a networked environment, such as that illustrated with computing 
environment 600, program modules depicted relative to the computer 602, or 
portions thereof, maybe stored in a remote memory storage device. By way of 
example, remote application programs 658 reside on a memory device of remote 
computer 648. For purposes of illustration, application programs and other 
executable program components such as the operating system are illustrated herein 
as discrete blocks, although it is recognized that such programs and components 
reside at various times in different storage components of the computing device 
602, and are executed by the data processor(s) of the computer. 

[00116] Various modules and techniques may be described herein in the 
general context of computer-executable instructions, such as program modules, 
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executed by one or more computers or other devices. Generally, program modules 
include routines, programs, objects, components, data structures, etc. that perform 
particular tasks or implement particular abstract data types. Typically, the 
functionality of the program modules may be combined or distributed as desired in 
various implementations. 

[00117] An implementation of these modules and techniques may be stored 
on or transmitted across some form of computer-readable media. Computer- 
readable media can be any available media that can be accessed by a computer. By 
way of example, and not limitation, computer-readable media may include 
"computer storage media" and "communications media." 

[00118] "Computer storage media" includes volatile and non-volatile, 
removable and non-removable media implemented in any method or technology 
for storage of information such as computer-readable instructions, data structures, 
program modules, or other data. Computer storage media includes, but is not 
limited to, RAM, ROM, EEPROM, flash memory or other memory technology, 
CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic 
cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, 
or any other medium which can be used to store the desired information and which 
can be accessed by a computer. 
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[00119] "Communication media" typically includes computer-readable 
instructions, data structures, program modules, or other data in a modulated data 
signal, such as carrier wave or other transport mechanism. Communication media 
also includes any information delivery media. The term "modulated data signal" 
means a signal that has one or more of its characteristics set or changed in such a 
manner as to encode information in the signal. By way of example, and not 
limitation, communication media includes wired media such as a wired network or 
direct-wired connection, and wireless media such as acoustic, RF, infrared, and 
other wireless media. Combinations of any of the above are also included within 
the scope of computer-readable media. 

[00120] Conclusion 

[00121] Although the i nvention h as b een d escribed i n 1 anguage s pecific t o 
structural features and/or methodological acts, it is to be understood that the 
invention defined in the appended claims is not necessarily limited to the specific 
features or acts described. Rather, the specific features and acts are disclosed as 
exemplary forms of implementing the claimed invention. For example, the 
techniques described herein may be applied to other applications such as message 
authentication codes (MACs). 
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